“Diversity can be a strength, but in a statewide contest, I don’t have to hack all the machines. I just have to hack some machines.”

J. Alex Halderman, University of Michigan’s Center for Computer Security and Society

A key swing state, Wisconsin was the scene of Russian measures in 2016 that utilized social media and also probed the websites of government agencies.

Wisconsin and other battleground states including Pennsylvania were targeted by a sophisticated social media campaign, according to a recent University of Wisconsin-Madison study headed by journalism professor Young Mie Kim. This campaign tapped into divisive issues like race, gun control and gay and transgender rights.

Alleged Kremlin-linked operatives also probed the website of the Democratic Party of Wisconsin. The websites of Ashland, Bayfield and Washburn in northern Wisconsin were targeted from Internet Protocol (IP) addresses listed in the joint FBI and Department of Homeland Security report on Russian malicious activity. And in July 2016, Russian government operatives attacked the Wisconsin Department of Workforce Development website, state officials reported.

Early in May, the U.S. Senate Intelligence Committee reported that “in 2016, cyberactors affiliated with the Russian Government conducted an unprecedented, coordinated nationwide cyber-campaign against state election infrastructures.”

Julie Routhieaux, administrative specialist in Little Chute, climbs into the DS200 scanner and tabulator voting machine to clear a paper jam caused by a stuck absentee ballot during the June 12 special election in the 1st Senate District. Working with her are Rita Mollen, chief election inspector, left, Municipal Clerk Laurie Decker, center, and Deborah Hermsen, election-chief-in-training, right. Decker said that the paper jam, or the act of clearing it, had no effect on election security.(Photo: Coburn Dukehart/Wisconsin Center for Investigative Journalism)

“Russian actors scanned databases for vulnerabilities, attempted intrusions, and in a small number of cases successfully penetrated a voter registration database,” the committee found, adding that it had not uncovered any alterations in vote tallies or voter information.

Five top elections experts told the Wisconsin Center for Investigative Journalism that Wisconsin’s voting systems are vulnerable. Some pointed to the Voting Machine Hacking Village demonstration last July at DEFCON, the annual cybersecurity conference held in Las Vegas.

“By the end of the (four-day) conference, every piece of equipment in the Voting Village
was effectively breached in some manner,” according to a report released after the conference. “Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the confidentiality, integrity and availability of these systems.”

However, municipal and county clerks interviewed by the Center say they are not worried about a cyberattack, citing the fact that voting in Wisconsin is not centrally coordinated but conducted on a local level by 1,854 communities. They also note that the voting machines are not connected to the internet.

“The election interference ... is not the greatest threat to our democracy. We've blown it way out of proportion.”

Sen. Ron Johnson

The U.S. Senate Committee on Homeland Security and Governmental Affairs chaired by Wisconsin Sen. Ron Johnson, has heard testimony from experts warning of Russia’s continued activities. Yet the Republican is not convinced it is a big problem.

“The election interference ... is not the greatest threat to our democracy. We've blown it way out of proportion,” he told the Washington Examiner.

Others are not so sure. The left-leaning Center for American Progress concluded that Wisconsin’s “failure to carry out post-election audits that test the accuracy of election outcomes leaves the state open to undetected hacking and other Election Day problems.”

Recount confirms results, raises concerns

Wisconsin’s 2016 presidential vote recount, requested by Green Party presidential candidate Jill Stein, found no evidence of election tampering or foreign interference, but it did uncover thousands of miscounted votes.

“Even now, with what happened with Russians intentionally trying to affect the election, I’m still more worried about a tornado or flood.”

Dane County Clerk Scott McDonell

“Our best estimate is that at least one in 117 votes (statewide) was miscounted, and probably more,” said Barry Burden, political science professor at the UW-Madison. Burden, who is a director of the UW Elections Research Center, led a study of the 2016 recount.

“As a voter, to think that there’s one in a hundred chance that my ballot would be miscounted — that would be alarming,” Burden said.

But many Wisconsin election officials say the concern is overblown. Dane County Clerk Scott McDonell told the Center that “Even now, with what happened with Russians intentionally trying to affect the election, I’m still more worried about a tornado or flood.”

Activists push post-election audits

Karen McKim is coordinator for the Madison-based grassroots group Wisconsin Election Integrity, which focuses on “appropriate” use of technology to secure Wisconsin’s elections.

McKim has many stories of election errors. In the 2016 general election, she noticed that hundreds of voters in the Oneida County community of Hazelhurst cast ballots in the U.S. Senate race but not for president. It turned out to be a clerical error.

In 2014, hundreds of votes in a Stoughton municipal referendum were not initially counted, possibly because of “dust bunnies” that covered the optical scanners’ lenses. In Monroe, election officials lost 110 ballots cast in the state Senate Democratic primary of 2014.

Such errors, she said, are not uncommon. A former Wisconsin Legislative Audit Bureau veteran, McKim not only identifies mistakes but seeks to correct them. Since 2012, she has been advocating post-election audits to verify the accuracy of election outcomes.

She favors a statistically based protocol known as a “risk-limiting audit” which involves counting a small sample of ballots. It is recommended by the Senate Intelligence Committee and has recently become a requirement in Colorado, Rhode Island and Virginia, according to the National Conference of State Legislatures.

Some officials skeptical audits needed

Wisconsin law already requires election officials to conduct voting equipment audits after general elections. The procedure, however, does not verify the accuracy of election outcomes, only whether the machines functioned properly. But that could change.

Wisconsin Elections Commission Interim Administrator Meagan Wolfe said her staff recently observed Colorado’s risk-limiting audit process. She said the agency is looking for ways to implement such audits consistent with existing law. The measure will be discussed at the next WEC meeting on Sept. 25, Wolfe said.

Although McDonell agrees risk-limiting post-election audits are probably a good idea, he does not plan to implement the measure anytime soon. He is confident in the integrity of Dane County’s system, noting that software that tallies the votes and programs the machine to read the ballots “are not connected to the internet.”

“All they have to do is unseal those bags and count votes in public and prove that the voting machines are working right — but they don’t.”

“I know that the (Wisconsin Elections Commission) is overseeing election security in the equipment we use, the processes of the conducting of our elections and how our equipment is tested and certified,” said Goeckner, adding that the diversity of Wisconsin’s election systems is the best security check.

One advantage Wisconsin has over some other states: Paper ballots. No matter what kind of machine is used, there is a paper ballot produced for every vote cast. In interviews with the Center, leading national experts said keeping the paper trail is not enough.

“That’s the reason why you have paper — it shouldn’t be for show,” said Lawrence Norden, the deputy director of the Democracy Program at the Brennan Center for Justice at New York University School of Law. “There’s no question Wisconsin doesn’t do the kind of audits it should be doing.”

Hackers pierce veil of security

In April, Halderman staged a demonstration on how to hack AccuVote TS and TSX touch-screen voting machines. The breached machines were in use in 2016 in about half of the states, including Wisconsin. As of Jan. 1 of this year, municipalities in the following Wisconsin counties were using AccuVote TSX machines for voters with disabilities: Calumet, Manitowoc, Walworth and Waushara counties.

Students participate in a voting demonstration at the University of Michigan in 2018, organized by J. Alex Halderman, director of the University of Michigan’s Center for Computer Security and Society. Students were asked to pick which school was better — Michigan or Ohio State. From his office computer, Halderman remotely altered the tally, making Ohio State the winner in a race where the majority of voters picked Michigan.(Photo: University of Michigan Computer Science and Engineering Department)

In the demonstration, University of Michigan students were asked to pick the better school in a race with two candidates — Michigan itself and The Ohio State University. From his office computer, Halderman remotely altered the tally, making Ohio State the winner in a race where the majority of voters picked Michigan.

During the DEFCON event, more than 25 voting machines and electronic poll books were breached. Some of them had default usernames and passwords, such as “admin” and “abcde,” while others had parts manufactured in China, which could be designed to be vulnerable to manipulation, according to the DEFCON report.

While the voting systems hacked at DEFCON and by Halderman were touch screens, experts question whether optical scanners, in wide use in Wisconsin, also are hackable.

A recent New York Times Magazine report cited a machine in Pennsylvania’s Venango County that was miscounting votes due to a calibration error. It contained software that allowed a county contractor to work on the machine remotely — but also made it vulnerable to hacking.

Some Wisconsin counties outsource pre-election programming to private companies. The Elections Commission “does not currently track which, or how many, counties, program their equipment in-house or by using a vendor,” Wolfe said.

At the Voting Machine Hacking Village demonstration in July 2017, hackers attending the DEFCON conference in Las Vegas managed to breach more than 25 voting machines and voter registration systems used in the U.S..(Photo: Courtesy of DEFCON )

According to a leaked National Security Agency reportpublished by The Intercept, an unnamed U.S. voting software supplier was the target of a cyberattack. It was allegedly conducted by the same Russian intelligence agency whose 12 officers were recently indicted as part of Special Counsel Robert Mueller’s investigation. The attackers “sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election,” The Intercept reported.

Wisconsin, Congress take some action

This March, Congress passed a bipartisan measure allocating $380 million to boost election systems security in all 50 states. Wisconsin received $7 million.

Wisconsin’s grant will pay for six full-time election and cybersecurity positions at the Wisconsin Elections Commission, to strengthen WisVote, the statewide voter registration system, and for election security trainings for local officials.

The next statewide election in Wisconsin is the Aug. 14 primary. Wolfe said all of the resources, including the six security-related positions, will be in place by the Nov. 6 general election.

McKim said questions over Wisconsin’s election security could be “easily fixed.”

“All they have to do is unseal those bags and count votes in public and prove that the voting machines are working right — but they don’t.”

Grigor Atanesian, a native of St. Petersburg, Russia, is an Edmund S. Muskie fellow at the Wisconsin Center for Investigative Journalism. He studies investigative reporting at the University of Missouri School of Journalism via a Fulbright grant. The nonprofit Center (www.WisconsinWatch.org) collaborates with Wisconsin Public Radio, Wisconsin Public Television, other news media and the UW-Madison School of Journalism and Mass Communication. All works created, published, posted or disseminated by the Center do not necessarily reflect the views or opinions of UW-Madison or any of its affiliates. The Center’s coverage of democracy issues is supported by The Joyce Foundation.